@@ -161,8 +161,8 @@ or on combining URL components into a URL string.
161161
162162 .. warning ::
163163
164- The :func: `urlparse ` API does not perform validation. See :ref: `URL
165- parsing security <url-parsing-security>` for details.
164+ :func: `urlparse ` does not perform validation. See :ref: `URL parsing
165+ security <url-parsing-security>` for details.
166166
167167 .. versionchanged :: 3.2
168168 Added IPv6 URL parsing capabilities.
@@ -334,8 +334,8 @@ or on combining URL components into a URL string.
334334
335335 .. warning ::
336336
337- The :func: `urlsplit ` API does not perform validation. See :ref: `URL
338- parsing security <url-parsing-security>` for details.
337+ :func: `urlsplit ` does not perform validation. See :ref: `URL parsing
338+ security <url-parsing-security>` for details.
339339
340340 .. versionchanged :: 3.6
341341 Out-of-range port numbers now raise :exc: `ValueError `, instead of
@@ -432,29 +432,29 @@ or on combining URL components into a URL string.
432432URL parsing security
433433--------------------
434434
435- The :func: `urlsplit ` and :func: `urlparse ` APIs do not perform **validation **
436- of inputs. They may not raise errors on inputs that other applications
437- consider invalid. They may accept and pass through some inputs that might
438- not be considered URLs elsewhere as unusually split component parts. Their
439- purpose is for practical functionality rather than purity.
440-
441- Instead of raising an exception on unusual input, they may instead return
442- some components as empty `` "" `` strings. Or components may contain more than
443- perhaps they should.
444-
445- We recommend that users of these APIs where the values may be used anywhere
446- with security implications code defensively. Do some verification within
447- your code before trusting a returned component part. Does that ``scheme ``
448- make sense? Is that a sensible ``path ``? Is there anything strange about
449- that ``hostname ``? etc.
450-
451- What constitutes a URL is not universally well defined. Different
452- applications have different needs and desired constraints. For instance the
453- living ` WHATWG spec
454- browser require. While :rfc: `3986 ` is more general. These functions
455- incorporate some aspects of both, but cannot be claimed compliant with
456- either. Our APIs and code with expectations on their behaviors predate both
457- standards. We attempt to maintain backwards compatibility .
435+ The :func: `urlsplit ` and :func: `urlparse ` APIs do not perform **validation ** of
436+ inputs. They may not raise errors on inputs that other applications consider
437+ invalid. They may also succeed on some inputs that might not be considered
438+ URLs elsewhere. Their purpose is for practical functionality rather than
439+ purity.
440+
441+ Instead of raising an exception on unusual input, they may instead return some
442+ component parts as empty strings. Or components may contain more than perhaps
443+ they should.
444+
445+ We recommend that users of these APIs where the values may be used anywhere
446+ with security implications code defensively. Do some verification within your
447+ code before trusting a returned component part. Does that ``scheme `` make
448+ sense? Is that a sensible ``path ``? Is there anything strange about that
449+ ``hostname ``? etc.
450+
451+ What constitutes a URL is not universally well defined. Different applications
452+ have different needs and desired constraints. For instance the living ` WHATWG
453+ spec `_ describes what user facing web clients such as a web browser require.
454+ While :rfc: `3986 ` is more general. These functions incorporate some aspects of
455+ both, but cannot be claimed compliant with either. The APIs and existing user
456+ code with expectations on specific behaviors predate both standards leading us
457+ to be very cautious about making API behavior changes .
458458
459459.. _parsing-ascii-encoded-bytes :
460460
0 commit comments